security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4eb6b3509edf04fee209f4cd0931513d14c57356
blue-team-tools/rules/windows/process_creation
T
History
Nasreddine Bencherchali 4eb6b3509e Update proc_creation_win_accesschk_usage_after_priv_escalation.yml 
Changed the rule as the original was flagging on every usage of "accessChk" which was not the intended behaviour as described.

The modification take into consideration usage of the tool as seen in the referenced presentation and adds some more.
2022-06-21 11:44:51 +01:00
..
proc_creation_win_7zip_cve_2022_29072.yml
Update proc_creation_win_7zip_cve_2022_29072.yml
2022-04-19 17:53:34 +02:00
proc_creation_win_abusing_debug_privilege.yml
chore: harmonization of generic 'nt system' user checks
2022-05-27 15:16:31 +02:00
proc_creation_win_abusing_windows_telemetry_for_persistence.yml
fix: none --> Unknown
2022-03-16 14:19:21 +01:00
proc_creation_win_accesschk_usage_after_priv_escalation.yml
Update proc_creation_win_accesschk_usage_after_priv_escalation.yml
2022-06-21 11:44:51 +01:00
proc_creation_win_ad_find_discovery.yml
docs: minor changes to rules
2022-03-01 16:02:22 +01:00
proc_creation_win_advanced_ip_scanner.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_advanced_port_scanner.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_alternate_data_streams.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_always_install_elevated_windows_installer.yml
fix: remove penetration test as valid false positive reason
2022-03-16 14:33:18 +01:00
proc_creation_win_anydesk_silent_install.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_anydesk_susp_folder.yml
rule: suspicious anydesk start location
2022-05-24 15:19:45 +02:00
proc_creation_win_anydesk.yml
fix: legitimate --> Legitimate
2022-03-16 14:35:19 +01:00
proc_creation_win_apt_actinium_persistence.yml
Update proc_creation_win_apt_actinium_persistence.yml
2022-04-14 09:59:45 +02:00
proc_creation_win_apt_apt29_thinktanks.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_apt_babyshark.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_apt_bear_activity_gtr19.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_apt_bluemashroom.yml
fix: exclude more Teams Addin variants
2022-03-02 10:36:07 +01:00
proc_creation_win_apt_chafer_mar18.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_apt_cloudhopper.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_apt_dragonfly.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_apt_elise.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_emissarypanda_sep19.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_empiremonkey.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_equationgroup_dll_u_load.yml
chore: increase rule status
2022-03-07 17:10:59 +01:00
proc_creation_win_apt_evilnum_jul20.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_gallium_sha1.yml
refactor condition
2022-06-03 15:35:24 +02:00
proc_creation_win_apt_gallium.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_apt_greenbug_may20.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_apt_hafnium.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_hurricane_panda.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_judgement_panda_gtr19.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_apt_ke3chang_regadd.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_lazarus_activity_apr21.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_apt_lazarus_activity_dec20.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_apt_lazarus_loader.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_apt_lazarus_session_highjack.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_apt_muddywater_dnstunnel.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_apt_mustangpanda.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_pandemic.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_apt_revil_kaseya.yml
fix: detection with Windows Defender
2022-05-20 19:27:48 +02:00
proc_creation_win_apt_slingshot.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_sofacy.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_apt_sourgrum.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_apt_ta17_293a_ps.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_ta505_dropper.yml
update rule to also match on original sample
2022-03-31 12:04:36 +02:00
proc_creation_win_apt_taidoor.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_apt_tropictrooper.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_turla_commands_critical.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_turla_commands_medium.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_turla_comrat_may20.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_unc2452_cmds.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_apt_unc2452_ps.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_unidentified_nov_18.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_winnti_mal_hk_jan20.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_winnti_pipemon.yml
chore: test rules: check for all modifier with single item
2022-05-11 11:06:09 +02:00
proc_creation_win_apt_wocao.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_zxshell.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_archiver_iso_phishing.yml
fix: condition
2022-06-10 13:46:19 +02:00
proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_attrib_hiding_files.yml
chore: test rules: capitalization on FP list entries
2022-05-09 16:07:44 +02:00
proc_creation_win_attrib_system.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_automated_collection.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_bad_opsec_sacrificial_processes.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_base64_invoke_susp_cmdlets.yml
new rules
2022-06-01 11:50:34 +02:00
proc_creation_win_base64_listing_shadowcopy.yml
fix: adjusted rules that use utf16le, extended others
2022-03-07 18:14:29 +01:00
proc_creation_win_base64_reflective_assembly_load.yml
fix: added detection
2022-06-01 13:31:57 +02:00
proc_creation_win_bitsadmin_download.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_bootconf_mod.yml
chore: promote status of rules
2022-03-30 11:24:24 +02:00
proc_creation_win_bypass_squiblytwo.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_c3_load_by_rundll32.yml
chore: increase rule status
2022-03-07 17:10:59 +01:00
proc_creation_win_certoc_execution.yml
Rule Update (Batch 2)
2022-05-16 22:02:41 +01:00
proc_creation_win_change_default_file_association.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_cl_invocation_lolscript.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_cl_mutexverifiers_lolscript.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_cleanwipe.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_clip.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_cmd_delete.yml
chore: test rules: warn on errors or invalid FP reasons
2022-05-09 16:07:55 +02:00
proc_creation_win_cmd_dosfuscation.yml
fix: legitimate --> Legitimate
2022-03-16 14:35:19 +01:00
proc_creation_win_cmd_redirect.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_cmdkey_recon.yml
Remove unneeded star
2022-06-11 12:58:14 +02:00
proc_creation_win_cmstp_com_object_access.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_cmstp_execution_by_creation.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_cobaltstrike_load_by_rundll32.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_cobaltstrike_process_patterns.yml
minor changes to description and hash values
2022-03-21 11:19:05 +01:00
proc_creation_win_commandline_path_traversal_evasion.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_commandline_path_traversal.yml
fixing spelling error
2022-03-17 17:27:11 +00:00
proc_creation_win_conhost_path_traversal.yml
Create proc_creation_win_conhost_path_traversal.yml
2022-06-14 17:39:52 +01:00
proc_creation_win_conti_cmd_ransomware.yml
chore: promote status of rules
2022-03-30 11:24:24 +02:00
proc_creation_win_conti_sqlcmd.yml
Rename proc_creation_win_coti_sqlcmd.yml to proc_creation_win_conti_sqlcmd.yml
2022-04-06 10:46:08 -05:00
proc_creation_win_control_panel_item.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_copying_sensitive_files_with_credential_data.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_crackmapexec_patterns.yml
chore: harmonization of generic 'nt system' user checks
2022-05-27 15:16:31 +02:00
proc_creation_win_creation_mavinject_dll.yml
Fix Requested Changes
2022-05-13 15:28:22 +01:00
proc_creation_win_creative_cloud_node_abuse.yml
feat: Add new rule for Creative Cloud node abuse
2022-04-07 10:50:50 +02:00
proc_creation_win_credential_access_via_password_filter.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_crime_fireball.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_crime_maze_ransomware.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_crime_snatch_ransomware.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_crypto_mining_monero.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_cve_2021_26857_msexchange.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_data_compressed_with_rar.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_delete_systemstatebackup.yml
chore: promote status of rules
2022-03-30 11:24:24 +02:00
proc_creation_win_detecting_fake_instances_of_hxtsr.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_dinjector.yml
fix: FPs
2022-03-07 17:11:00 +01:00
proc_creation_win_discover_private_keys.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_dns_exfiltration_tools_execution.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_dns_serverlevelplugindll.yml
refactor condition
2022-06-03 15:35:24 +02:00
proc_creation_win_dnscat2_powershell_implementation.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_dotnet.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_dsim_remove.yml
chore: test rules: warn on errors or invalid FP reasons
2022-05-09 16:07:55 +02:00
proc_creation_win_dumpstack_log_evasion.yml
Add missing "contains" modifier
2022-06-17 14:06:14 +01:00
proc_creation_win_embed_exe_lnk.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_encoded_frombase64string.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_encoded_iex.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_enumeration_for_credentials_in_registry.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_esentutl_webcache.yml
Updated Rules to Use OriginalFileName
2022-05-12 23:27:48 +01:00
proc_creation_win_etw_modification_cmdline.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_etw_trace_evasion.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_evil_winrm.yml
fix: more falsepositives harmonization
2022-03-16 14:57:06 +01:00
proc_creation_win_exfiltration_and_tunneling_tools_execution.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_expand_cabinet_files.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_exploit_cve_2015_1641.yml
chore: increase rule status
2022-03-07 17:10:59 +01:00
proc_creation_win_exploit_cve_2017_0261.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_exploit_cve_2017_8759.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_exploit_cve_2017_11882.yml
chore: promote status of rules
2022-03-31 12:04:37 +02:00
proc_creation_win_exploit_cve_2019_1378.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_exploit_cve_2019_1388.yml
chore: harmonization of generic 'nt system' user checks
2022-05-27 15:16:31 +02:00
proc_creation_win_exploit_cve_2020_1048.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_exploit_cve_2020_1350.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_exploit_cve_2020_10189.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_exploit_lpe_cve_2021_41379.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_exploit_systemnightmare.yml
chore: increase rule status
2022-03-07 17:10:59 +01:00
proc_creation_win_false_sysinternalsuite.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_file_permission_modifications.yml
fix: VSCode icacls
2022-05-12 21:48:05 +02:00
proc_creation_win_findstr_gpp_passwords.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_fsutil_drive_enumeration.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_fsutil_symlinkevaluation.yml
Add "\" to "Image|endswith" modifier
2022-06-02 13:39:07 +01:00
proc_creation_win_gotoopener.yml
fix: legitimate --> Legitimate
2022-03-16 14:35:19 +01:00
proc_creation_win_grabbing_sensitive_hives_via_reg.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_hack_adcspwn.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_hack_bloodhound.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_hack_cube0x0_tools.yml
fix: selection identifier
2022-04-27 17:39:01 +02:00
proc_creation_win_hack_dumpert.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_hack_hydra.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_hack_koadic.yml
fix: remove penetration test as valid false positive reason
2022-03-16 14:33:18 +01:00
proc_creation_win_hack_krbrelay.yml
fix: casing of OriginalFileName
2022-06-08 17:14:49 +02:00
proc_creation_win_hack_krbrelayup.yml
fix: casing of OriginalFileName
2022-06-08 17:14:49 +02:00
proc_creation_win_hack_rubeus.yml
fix: casing of OriginalFileName
2022-06-08 17:14:49 +02:00
proc_creation_win_hack_secutyxploded.yml
chore: promote status of rules
2022-03-31 12:04:37 +02:00
proc_creation_win_hack_wce.yml
fix: more falsepositives harmonization
2022-03-16 14:57:06 +01:00
proc_creation_win_hacktool_imphashes.yml
refactor: uppercase values, DropLoader imphash
2022-03-16 17:56:55 +01:00
proc_creation_win_hashcat.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_headless_browser_file_download.yml
Add status
2022-05-15 16:17:02 +02:00
proc_creation_win_hh_chm.yml
fix: more falsepositives harmonization
2022-03-16 14:57:06 +01:00
proc_creation_win_hiding_malware_in_fonts_folder.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_high_integrity_sdclt.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_hktl_createminidump.yml
refactor: more exact imphash matching
2022-03-07 12:03:32 +01:00
proc_creation_win_hktl_uacme_uac_bypass.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_html_help_spawn.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_hwp_exploits.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_iis_http_logging.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_impacket_compiled_tools.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_impacket_lateralization.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_indirect_cmd.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_infdefaultinstall.yml
Update tags
2022-04-07 14:46:58 +02:00
proc_creation_win_install_reg_debugger_backdoor.yml
chore: test rules: check for all modifier with single item
2022-05-11 11:06:09 +02:00
proc_creation_win_interactive_at.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_invoke_obfuscation_clip.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_invoke_obfuscation_obfuscated_iex_commandline.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_invoke_obfuscation_stdin.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_invoke_obfuscation_var.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_invoke_obfuscation_via_compress.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_invoke_obfuscation_via_rundll.yml
Refactor regex
2022-03-07 19:08:30 +01:00
proc_creation_win_invoke_obfuscation_via_stdin.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_invoke_obfuscation_via_use_clip.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_invoke_obfuscation_via_use_mhsta.yml
fix yaml
2022-03-08 19:14:46 +01:00
proc_creation_win_invoke_obfuscation_via_use_rundll32.yml
Refactor regex
2022-03-08 19:07:37 +01:00
proc_creation_win_invoke_obfuscation_via_var.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_jlaive_batch_execution.yml
New sigma rule to detect the use of Jlaive antivirus defense evasion
2022-05-24 02:40:08 +02:00
proc_creation_win_lethalhta.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_local_system_owner_account_discovery.yml
refactor: one more space char
2022-06-12 18:06:51 +02:00
proc_creation_win_logmein.yml
fix: legitimate --> Legitimate
2022-03-16 14:35:19 +01:00
proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml
FP: citrix icast default userinit logon script.
2022-05-31 21:53:13 +00:00
proc_creation_win_lolbin_adplus.yml
Update proc_creation_win_lolbin_adplus.yml
2022-06-09 16:15:28 +01:00
proc_creation_win_lolbin_aspnet_compiler.yml
Renamed LOLBIN Rules
2022-06-12 21:36:52 +01:00
proc_creation_win_lolbin_bash.yml
Renamed LOLBIN Rules
2022-06-12 21:36:52 +01:00
proc_creation_win_lolbin_certoc_download.yml
Renamed LOLBIN rules + Other
2022-06-12 23:59:25 +01:00
proc_creation_win_lolbin_cl_loadassembly.yml
Renamed LOLBIN Rules 2
2022-06-12 21:37:42 +01:00
proc_creation_win_lolbin_cl_mutexverifiers.yml
Renamed LOLBIN Rules
2022-06-12 21:36:52 +01:00
proc_creation_win_lolbin_class_exec_xwizard.yml
Renamed LOLBIN rules + Other
2022-06-12 23:59:25 +01:00
proc_creation_win_lolbin_cmdl32.yml
Renamed LOLBIN rules + Other
2022-06-12 23:59:25 +01:00
proc_creation_win_lolbin_configsecuritypolicy.yml
Renamed LOLBIN Rules
2022-06-12 21:36:52 +01:00
proc_creation_win_lolbin_cscript_gathernetworkinfo.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml
Renamed LOLBIN Rules
2022-06-12 21:36:52 +01:00
proc_creation_win_lolbin_diantz_ads.yml
Renamed LOLBIN Rules
2022-06-12 21:36:52 +01:00
proc_creation_win_lolbin_diantz_remote_cab.yml
Renamed LOLBIN Rules
2022-06-12 21:36:52 +01:00
proc_creation_win_lolbin_dll_sideload_xwizard.yml
Renamed LOLBIN rules + Other
2022-06-12 23:59:25 +01:00
proc_creation_win_lolbin_dump64.yml
Renamed LOLBIN rules + Other
2022-06-12 23:59:25 +01:00
proc_creation_win_lolbin_execution_via_winget.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_lolbin_extexport.yml
Renamed LOLBIN Rules
2022-06-12 21:36:52 +01:00
proc_creation_win_lolbin_extrac32_ads.yml
Renamed LOLBIN Rules
2022-06-12 21:36:52 +01:00
proc_creation_win_lolbin_extrac32.yml
Renamed LOLBIN Rules
2022-06-12 21:36:52 +01:00
proc_creation_win_lolbin_findstr.yml
Renamed + Refactor "findstr" rule
2022-06-21 11:42:14 +01:00
proc_creation_win_lolbin_forfiles.yml
Update proc_creation_win_lolbin_forfiles.yml
2022-06-14 18:18:14 +01:00
proc_creation_win_lolbin_fsharp_interpreters.yml
Update proc_creation_win_lolbin_fsharp_interpreters.yml
2022-06-02 17:15:15 +02:00
proc_creation_win_lolbin_gpscript.yml
Rule Update (Batch 2)
2022-05-16 22:02:41 +01:00
proc_creation_win_lolbin_ie4uinit.yml
Rule Update (Batch 2)
2022-05-16 22:02:41 +01:00
proc_creation_win_lolbin_ieexec_download.yml
Renamed LOLBIN Rules
2022-06-12 21:36:52 +01:00
proc_creation_win_lolbin_ilasm.yml
Rule Update (Batch 2)
2022-05-16 22:02:41 +01:00
proc_creation_win_lolbin_jsc.yml
Update proc_creation_win_lolbin_jsc.yml
2022-05-05 07:58:25 +02:00
proc_creation_win_lolbin_mftrace.yml
Update proc_creation_win_lolbin_mftrace.yml
2022-06-09 18:52:32 +01:00
proc_creation_win_lolbin_msdt_answer_file.yml
Update MSDT Rules
2022-06-13 14:30:35 +01:00
proc_creation_win_lolbin_offlinescannershell.yml
Renamed LOLBIN Rules
2022-06-12 21:36:52 +01:00
proc_creation_win_lolbin_openconsole.yml
Update proc_creation_win_lolbin_openconsole.yml
2022-06-16 23:41:57 +01:00
proc_creation_win_lolbin_pcalua.yml
Update proc_creation_win_lolbin_pcalua.yml
2022-06-14 17:41:09 +01:00
proc_creation_win_lolbin_pcwrun_follina.yml
Update MSDT Rules
2022-06-13 14:30:35 +01:00
proc_creation_win_lolbin_pcwrun.yml
Renamed LOLBIN rules + Other
2022-06-12 23:59:25 +01:00
proc_creation_win_lolbin_pktmon.yml
Redcannary
2022-03-17 16:48:41 +01:00
proc_creation_win_lolbin_printbrm.yml
Update proc_creation_win_lolbin_printbrm.yml
2022-05-05 08:00:22 +02:00
proc_creation_win_lolbin_pubprn.yml
Renamed LOLBIN Rules
2022-06-12 21:36:52 +01:00
proc_creation_win_lolbin_rasautou_dll_execution.yml
Removed "modified" date
2022-06-13 11:31:47 +01:00
proc_creation_win_lolbin_remote.yml
Update proc_creation_win_lolbin_remote.yml
2022-06-02 09:00:22 -04:00
proc_creation_win_lolbin_replace.yml
Renamed LOLBIN Rules
2022-06-12 21:36:52 +01:00
proc_creation_win_lolbin_rundll32_installscreensaver.yml
Renamed LOLBIN rules + Other
2022-06-12 23:59:25 +01:00
proc_creation_win_lolbin_squirrel.yml
Update proc_creation_win_lolbin_squirrel.yml
2022-06-09 15:58:22 +01:00
proc_creation_win_lolbin_susp_acccheckconsole.yml
Renamed LOLBIN rules + Other
2022-06-12 23:59:25 +01:00
proc_creation_win_lolbin_susp_atbroker.yml
Renamed LOLBIN rules + Other
2022-06-12 23:59:25 +01:00
proc_creation_win_lolbin_susp_certreq_download.yml
Update proc_creation_win_lolbin_susp_certreq_download.yml
2022-06-13 18:27:56 +02:00
proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml
Renamed LOLBIN Rules
2022-06-12 21:36:52 +01:00
proc_creation_win_lolbin_susp_dxcap.yml
Renamed LOLBIN rules + Other
2022-06-12 23:59:25 +01:00
proc_creation_win_lolbin_susp_grpconv.yml
Renamed LOLBIN Rules
2022-06-12 21:36:52 +01:00
proc_creation_win_lolbin_susp_mpcmdrun_download.yml
Removed "modified" date
2022-06-13 11:31:47 +01:00
proc_creation_win_lolbin_susp_sqldumper_activity.yml
Renamed LOLBIN rules + Other
2022-06-12 23:59:25 +01:00
proc_creation_win_lolbin_susp_wsl.yml
Renamed LOLBIN rules + Other
2022-06-12 23:59:25 +01:00
proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml
Renamed to shorter names
2022-06-13 00:52:53 +01:00
proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml
Renamed to shorter names
2022-06-13 00:52:53 +01:00
proc_creation_win_lolbin_ttdinject.yml
Update proc_creation_win_lolbin_ttdinject.yml
2022-05-16 16:53:41 +02:00
proc_creation_win_lolbin_tttracer_mod_load.yml
Renamed LOLBIN rules + Other
2022-06-12 23:59:25 +01:00
proc_creation_win_lolbin_utilityfunctions.yml
Renamed LOLBIN Rules
2022-06-12 21:36:52 +01:00
proc_creation_win_lolbin_visual_basic_compiler.yml
Renamed LOLBIN rules + Other
2022-06-12 23:59:25 +01:00
proc_creation_win_lolbin_visualuiaverifynative.yml
Update proc_creation_win_lolbin_visualuiaverifynative.yml
2022-06-02 13:43:01 +02:00
proc_creation_win_lolbin_vsiisexelauncher.yml
New/Update LOLBIN Rules
2022-06-09 15:56:33 +01:00
proc_creation_win_lolbin_wfc.yml
Update proc_creation_win_lolbin_wfc.yml
2022-06-02 13:47:11 +02:00
proc_creation_win_lolbin_winword.yml
Renamed LOLBIN rules + Other
2022-06-12 23:59:25 +01:00
proc_creation_win_lolbin_wlrmdr.yml
Add "\" to "Image|endswith" modifier
2022-06-02 13:39:07 +01:00
proc_creation_win_lolbins_by_office_applications.yml
add more suspicious child processes / relevant parent processes
2022-06-03 12:17:33 +02:00
proc_creation_win_lolbins_with_wmiprvse_parent_process.yml
Add "\" to "Image|endswith" modifier
2022-06-02 13:39:07 +01:00
proc_creation_win_long_powershell_commandline.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_lsass_dump.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_mailboxexport_share.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_mal_adwind.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_mal_blue_mockingbird.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_mal_darkside_ransomware.yml
chore: promote status of rules
2022-03-30 11:24:24 +02:00
proc_creation_win_mal_hermetic_wiper_activity.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_mal_lockergoga_ransomware.yml
chore: promote status of rules
2022-03-30 11:24:24 +02:00
proc_creation_win_mal_ryuk.yml
chore: test rules: check for all modifier with single item
2022-05-11 11:06:09 +02:00
proc_creation_win_malware_conti_7zip.yml
fix: copy / paste issues
2022-04-13 09:23:08 +02:00
proc_creation_win_malware_conti_shadowcopy.yml
fix: copy / paste issues
2022-04-13 09:23:08 +02:00
proc_creation_win_malware_conti.yml
chore: promote status of rules
2022-03-30 11:24:24 +02:00
proc_creation_win_malware_dridex.yml
chore: promote status of rules
2022-03-31 12:04:37 +02:00
proc_creation_win_malware_dtrack.yml
chore: increase rule status
2022-03-07 17:10:59 +01:00
proc_creation_win_malware_emotet.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_malware_formbook.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_malware_notpetya.yml
fix: values missed escaping
2022-03-05 10:39:15 +01:00
proc_creation_win_malware_qbot.yml
chore: promote status of rules
2022-03-31 12:04:37 +02:00
proc_creation_win_malware_ryuk.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_malware_script_dropper.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_malware_trickbot_recon_activity.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_malware_trickbot_wermgr.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_malware_wannacry.yml
fix: triggering on legitimate diskpart.exe usage
2022-02-28 17:50:30 +01:00
proc_creation_win_manage_bde_lolbas.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_mavinject_proc_inj.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_mimikatz_command_line.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_mmc20_lateral_movement.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_mmc_spawn_shell.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_modif_of_services_for_via_commandline.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_monitoring_for_persistence_via_bits.yml
fix: none --> Unknown
2022-03-16 14:19:21 +01:00
proc_creation_win_mouse_lock.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_msdeploy.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_msdt_diagcab.yml
Add proc_creation_win_msdt_diagcab
2022-06-09 08:57:51 +02:00
proc_creation_win_msdt_susp_parent.yml
docs: add Follina reference in description
2022-06-13 13:30:21 +02:00
proc_creation_win_msdt.yml
Update proc_creation_win_msdt.yml
2022-06-13 16:36:19 +01:00
proc_creation_win_msedge_minimized_download.yml
Add status
2022-05-15 16:17:02 +02:00
proc_creation_win_mshta_javascript.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_mshta_spawn_shell.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_msiexec_dll.yml
fix: wording on two rules
2022-04-26 16:43:44 +02:00
proc_creation_win_msiexec_embedding.yml
Update proc_creation_win_msiexec_embedding.yml
2022-04-19 17:23:45 +02:00
proc_creation_win_msiexec_execute_dll.yml
chore: test rules: check for all modifier with single item
2022-05-11 11:06:09 +02:00
proc_creation_win_msiexec_install_quiet.yml
Typo fix
2022-04-12 11:05:09 -05:00
proc_creation_win_mstsc.yml
Update proc_creation_win_mstsc.yml
2022-06-12 17:52:37 +02:00
proc_creation_win_multiple_susp_cli.yml
Renamed suspicious in filenames to susp
2022-05-19 09:37:04 +02:00
proc_creation_win_net_enum.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_net_use_admin_share.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_net_user_add.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_netcat_execution.yml
ncat pattern
2022-03-15 18:05:13 +01:00
proc_creation_win_netsh_allow_port_rdp.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_netsh_fw_add_susp_image.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_netsh_fw_add.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_netsh_fw_enable_group_rule.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_netsh_packet_capture.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_netsh_port_fwd_3389.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_netsh_port_fwd.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_netsh_wifi_credential_harvesting.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_network_scan_loop.yml
Fix selection_tools
2022-03-12 11:15:10 +01:00
proc_creation_win_network_sniffing.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_new_service_creation.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_nltest_recon.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_non_interactive_powershell.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_non_priv_reg_or_ps.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_office_applications_spawning_wmi_commandline.yml
Add "\" to "Image|endswith" modifier
2022-06-02 13:39:07 +01:00
proc_creation_win_office_dir_traversal_cli.yml
new rule for office directory traversal
2022-06-03 12:17:33 +02:00
proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml
Add "\" to "Image|endswith" modifier
2022-06-02 13:39:07 +01:00
proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml
Add "\" to "Image|endswith" modifier
2022-06-02 13:39:07 +01:00
proc_creation_win_office_shell.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_office_spawn_exe_from_users_directory.yml
add more suspicious child processes / relevant parent processes
2022-06-03 12:17:33 +02:00
proc_creation_win_office_spawning_wmi_commandline.yml
Small Update and New Rule
2022-06-16 23:37:50 +01:00
proc_creation_win_outlook_shell.yml
refining some rules for Follina
2022-06-01 14:44:40 +02:00
proc_creation_win_pingback_backdoor.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_plugx_susp_exe_locations.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_possible_applocker_bypass.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_possible_privilege_escalation_via_service_reg_perm.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_powershell_amsi_bypass.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_powershell_audio_capture.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_powershell_b64_shellcode.yml
chore: increase rule status
2022-03-07 17:10:59 +01:00
proc_creation_win_powershell_bitsjob.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_powershell_cmdline_reversed_strings.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_powershell_cmdline_special_characters.yml
fix: FPs found in production environment
2022-03-09 16:22:33 +01:00
proc_creation_win_powershell_cmdline_specific_comb_methods.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_powershell_defender_base64.yml
fix: adjusted rules that use utf16le, extended others
2022-03-07 18:14:29 +01:00
proc_creation_win_powershell_defender_disable_feature.yml
fix: adjusted rules that use utf16le, extended others
2022-03-07 18:14:29 +01:00
proc_creation_win_powershell_defender_exclusion.yml
Update proc_creation_win_powershell_defender_exclusion.yml
2022-05-12 23:28:14 +01:00
proc_creation_win_powershell_disable_windef_av.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_powershell_dll_execution.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_powershell_downgrade_attack.yml
fix: remove penetration test as valid false positive reason
2022-03-16 14:33:18 +01:00
proc_creation_win_powershell_download_patterns.yml
refactor: additional strings in powershell downloader rule
2022-03-02 11:01:28 +01:00
proc_creation_win_powershell_download.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_powershell_frombase64string.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_powershell_public_folder.yml
Update proc_creation_win_powershell_public_folder.yml
2022-04-07 18:52:45 +02:00
proc_creation_win_powershell_reverse_shell_connection.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_powershell_susp_parameter_variation.yml
Renamed suspicious in filenames to susp
2022-05-19 09:37:04 +02:00
proc_creation_win_powershell_xor_commandline.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_powersploit_empire_schtasks.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_proc_dump_createdump.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_proc_dump_dumpminitool.yml
refactor: extended rule
2022-04-06 17:07:51 +02:00
proc_creation_win_proc_dump_rdrleakdiag.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_proc_dump_susp_dumpminitool.yml
refactor: extended rule
2022-04-06 17:07:51 +02:00
proc_creation_win_proc_wrong_parent.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_procdump_evasion.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_procdump.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_process_dump_rdrleakdiag.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_process_dump_rundll32_comsvcs.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_protocolhandler_susp_file.yml
Renamed suspicious in filenames to susp
2022-05-19 09:37:04 +02:00
proc_creation_win_proxy_execution_wuauclt.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_psexesvc_start.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_public_folder_parent.yml
docs: wording change
2022-02-25 17:29:16 +01:00
proc_creation_win_purplesharp_indicators.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_pypykatz.yml
fix: more falsepositives harmonization
2022-03-16 14:57:06 +01:00
proc_creation_win_python_pty_spawn.yml
windows and linux python pty spawning
2022-06-03 12:17:33 +02:00
proc_creation_win_query_registry.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_ransom_blackbyte.yml
rules: BlackByte rule update, and some generic rules
2022-02-25 16:02:42 +01:00
proc_creation_win_rdp_hijack_shadowing.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_redirect_to_stream.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_redmimicry_winnti_proc.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_reg_add_run_key.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_reg_defender_exclusion.yml
fix: legitimate --> Legitimate
2022-03-16 14:35:19 +01:00
proc_creation_win_reg_defender_tampering.yml
chore: test rules: check for unused selections
2022-05-10 11:07:40 +02:00
proc_creation_win_reg_dump_sam.yml
fix: more falsepositives harmonization
2022-03-16 14:57:06 +01:00
proc_creation_win_reg_enable_rdp.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_reg_lsass_ppl.yml
chore: test rules: check for unused selections
2022-05-10 11:07:40 +02:00
proc_creation_win_reg_service_imagepath_change.yml
refactor: more robust reg add ImagePath rule
2022-03-29 15:21:47 +02:00
proc_creation_win_regedit_export_critical_keys.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_regedit_export_keys.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_regedit_import_keys_ads.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_regedit_import_keys.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_regini_ads.yml
Updated "modified" field
2022-05-09 19:28:50 +01:00
proc_creation_win_regini.yml
Updated "modified" field
2022-05-09 19:28:50 +01:00
proc_creation_win_remote_powershell_session_process.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_remote_time_discovery.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_remove_windows_defender_definition_files.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_renamed_binary_highly_relevant.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_renamed_binary.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_renamed_browsercore.yml
feat: Add rule for renamed browser core execution
2022-06-02 14:17:02 +01:00
proc_creation_win_renamed_jusched.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_renamed_megasync.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_renamed_msdt.yml
Update proc_creation_win_renamed_msdt.yml
2022-06-03 17:03:33 +02:00
proc_creation_win_renamed_paexec.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_renamed_plink.yml
Update proc_creation_win_renamed_plink.yml
2022-06-07 10:43:23 +02:00
proc_creation_win_renamed_powershell.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_renamed_procdump.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_renamed_psexec.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_renamed_rundll32.yml
rule: renamed rundll32.exe
2022-06-08 17:23:29 +02:00
proc_creation_win_renamed_whoami.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_root_certificate_installed.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_rpcss_anomalies.yml
rule: RPCSS service process anomalies
2022-04-13 15:44:10 +02:00
proc_creation_win_run_executable_invalid_extension.yml
updating to ensure match against all system32 execution path
2022-03-20 19:48:51 +00:00
proc_creation_win_run_from_zip.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_run_powershell_script_from_ads.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_run_powershell_script_from_input_stream.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_run_virtualbox.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_rundll32_not_from_c_drive.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_rundll32_parent_explorer.yml
Update proc_creation_win_rundll32_parent_explorer.yml
2022-05-23 16:49:40 -04:00
proc_creation_win_rundll32_registered_com_objects.yml
fix: legitimate --> Legitimate
2022-03-16 14:35:19 +01:00
proc_creation_win_rundll32_without_parameters.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_schtasks_appdata_local_system.yml
new susp service installation rules
2022-03-18 16:08:40 +01:00
proc_creation_win_schtasks_powershell_windowsapps_execution.yml
Update proc_creation_win_schtasks_powershell_windowsapps_execution.yml
2022-04-19 17:31:01 +02:00
proc_creation_win_schtasks_reg_loader.yml
new rule from thedfirreport.com
2022-03-15 16:39:12 +01:00
proc_creation_win_screenconnect_anomaly.yml
rule: ScreenConnect anomaly
2022-02-25 10:31:58 +01:00
proc_creation_win_screenconnect.yml
fix: legitimate --> Legitimate
2022-03-16 14:35:19 +01:00
proc_creation_win_script_event_consumer_spawn.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_sdbinst_shim_persistence.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_sdclt_child_process.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_sdelete.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_sdiagnhost_susp_child.yml
docs: add Follina reference in description
2022-06-13 13:30:21 +02:00
proc_creation_win_service_execution.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_service_stop.yml
chore: harmonization of generic 'nt system' user checks
2022-05-27 15:16:31 +02:00
proc_creation_win_set_policies_to_unsecure_level.yml
fix: reduce level, many legitimate usages expected
2022-02-23 14:13:12 +01:00
proc_creation_win_shadow_copies_access_symlink.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_shadow_copies_creation.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_shadow_copies_deletion.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_shell_spawn_by_java.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_shell_spawn_susp_program.yml
fix: indentation
2022-03-08 17:47:20 +01:00
proc_creation_win_silenttrinity_stage_use.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_software_discovery.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_soundrec_audio_capture.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_spn_enum.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_sqlcmd_veeam_dump.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_sqlite_firefox_cookies.yml
Update proc_creation_win_sqlite_firefox_cookies.yml
2022-04-09 20:01:54 +02:00
proc_creation_win_sticky_keys_unauthenticated_privileged_cmd_access.yml
Update proc_creation_win_sticky_keys_unauthenticated_privileged_cmd_access.yml
2022-04-19 17:32:39 +02:00
proc_creation_win_stickykey_like_backdoor.yml
chore: increase rule status
2022-03-07 17:10:59 +01:00
proc_creation_win_stordiag_execution.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_sus_auditpol_usage.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_7z.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_ad_reco.yml
Renamed suspicious in filenames to susp
2022-05-19 09:37:04 +02:00
proc_creation_win_susp_add_user_remote_desktop.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_adfind_enumerate.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_adfind.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_adidnsdump.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_advancedrun_priv_user.yml
Update proc_creation_win_susp_advancedrun_priv_user.yml
2022-05-05 21:06:53 +01:00
proc_creation_win_susp_advancedrun.yml
Quick Fix
2022-05-13 11:52:31 +01:00
proc_creation_win_susp_athremotefxvgpudisablementcommand.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_base64_invoke.yml
new rules
2022-06-01 11:50:34 +02:00
proc_creation_win_susp_base64_load.yml
Update proc_creation_win_susp_base64_load.yml
2022-06-01 13:06:17 +02:00
proc_creation_win_susp_bcdedit.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_bginfo.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_bitstransfer.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_calc.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_cdb.yml
Update proc_creation_win_susp_cdb.yml
2022-06-09 19:16:38 +01:00
proc_creation_win_susp_certutil_command.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_certutil_encode.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_char_in_cmd.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_child_process_as_system_.yml
fix: specify for local system user
2022-05-27 15:46:56 +02:00
proc_creation_win_susp_cipher.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_cli_escape.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_cmd_http_appdata.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_cmd_shadowcopy_access.yml
fix: copy / paste issues
2022-04-13 09:23:08 +02:00
proc_creation_win_susp_codepage_lookup.yml
fix: event collectors that include spaces in cmd
2022-04-21 07:54:08 +02:00
proc_creation_win_susp_codepage_switch.yml
fix: more falsepositives harmonization
2022-03-16 14:57:06 +01:00
proc_creation_win_susp_commandline_chars.yml
fix: missing author
2022-04-29 16:43:18 +02:00
proc_creation_win_susp_commands_recon_activity.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_compression_params.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_comsvcs_procdump.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_conhost_option.yml
Update proc_creation_win_susp_conhost_option.yml
2022-06-01 09:39:03 +08:00
proc_creation_win_susp_conhost.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_control_cve_2021_40444.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_susp_control_dll_load.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_copy_lateral_movement.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_copy_system32.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_covenant.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_crackmapexec_execution.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_crackmapexec_flags.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_csc_folder.yml
chore: test rules: capitalization on FP list entries
2022-05-09 16:07:44 +02:00
proc_creation_win_susp_csc.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_cscript_vbs.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_csi.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_curl_download.yml
Update proc_creation_win_susp_curl_download.yml
2022-06-11 02:22:56 +01:00
proc_creation_win_susp_curl_fileupload.yml
Update proc_creation_win_susp_curl_fileupload.yml
2022-06-11 02:23:14 +01:00
proc_creation_win_susp_curl_start_combo.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_curl_useragent.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_dctask64_proc_inject.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_susp_del.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_desktopimgdownldr.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_devinit_lolbin.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_devtoolslauncher.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_susp_dir.yml
refactor condition
2022-06-03 15:35:24 +02:00
proc_creation_win_susp_direct_asep_reg_keys_modification.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_disable_eventlog.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_susp_disable_ie_features.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_disable_raccine.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_diskshadow.yml
docs: adjustments
2022-03-11 18:13:54 +01:00
proc_creation_win_susp_ditsnap.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_susp_dnx.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_double_extension.yml
chore: increase rule status
2022-03-07 17:11:00 +01:00
proc_creation_win_susp_download_office_domain.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_dtrace_kernel_dump.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_emotet_rundll32_execution.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_susp_esentutl_params.yml
Update proc_creation_win_susp_esentutl_params.yml
2022-02-24 11:52:21 -05:00
proc_creation_win_susp_eventlog_clear.yml
chore: promote status of rules
2022-03-30 11:24:24 +02:00
proc_creation_win_susp_execution_path_webserver.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_susp_execution_path.yml
Adjusting condition
2022-05-26 18:38:12 +00:00
proc_creation_win_susp_explorer_break_proctree.yml
Update proc_creation_win_susp_explorer_break_proctree.yml
2022-06-14 19:31:25 +01:00
proc_creation_win_susp_explorer_nouaccheck.yml
fix: FPs found in win2022 domain controller baseline
2022-04-21 10:48:59 +02:00
proc_creation_win_susp_explorer.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_susp_file_characteristics.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_file_download_via_gfxdownloadwrapper.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_findstr_385201.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_findstr_lnk.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_finger_usage.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_firewall_disable.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_format.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_fsutil_usage.yml
chore: promote status of rules
2022-03-30 11:24:24 +02:00
proc_creation_win_susp_ftp.yml
Quick Fix
2022-05-13 11:52:31 +01:00
proc_creation_win_susp_gpresult.yml
Update proc_creation_win_susp_gpresult.yml
2022-05-02 19:25:42 +02:00
proc_creation_win_susp_gup_download.yml
GUP LOLBIN Rules + Update AccCheckConsole Rule
2022-06-10 19:07:25 +01:00
proc_creation_win_susp_gup_execution.yml
Update proc_creation_win_susp_gup_execution.yml
2022-06-10 19:08:30 +01:00
proc_creation_win_susp_gup.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_hostname.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_image_missing.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_instalutil.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_iss_module_install.yml
fix: date in rule
2022-04-04 11:37:55 +02:00
proc_creation_win_susp_lsass_clone.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_machineguid.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_mounted_share_deletion.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_mpiexec_lolbin.yml
refactor: more exact imphash matching
2022-03-07 12:03:32 +01:00
proc_creation_win_susp_mshta_execution.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_mshta_pattern.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_msiexec_cwd.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_msiexec_web_install.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_msoffice.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_net_execution.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_net_use_password_plaintext.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_netsh_command.yml
Update proc_creation_win_susp_netsh_command.yml
2022-04-12 07:55:58 +02:00
proc_creation_win_susp_netsh_dll_persistence.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_network_command.yml
refactor condition
2022-06-03 15:35:24 +02:00
proc_creation_win_susp_network_listing_connections.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_ngrok_pua.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_susp_nmap.yml
refactor condition
2022-06-03 15:35:24 +02:00
proc_creation_win_susp_non_exe_image.yml
fix: FPs found in testing environment
2022-06-20 16:17:54 +02:00
proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_ntdll_type_redirect.yml
rule: ntdll type redirect
2022-03-05 10:39:33 +01:00
proc_creation_win_susp_ntds.yml
fix: more lists with only one parameter
2022-03-11 20:11:06 +01:00
proc_creation_win_susp_ntdsutil.yml
docs: adjustments
2022-03-11 18:13:54 +01:00
proc_creation_win_susp_ntlmrelay.yml
Update proc_creation_win_susp_ntlmrelay.yml
2022-05-06 19:46:24 +02:00
proc_creation_win_susp_odbcconf.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_openwith.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_outlook_temp.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_outlook.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_parents.yml
fix: filter null image in process creation rule
2022-03-29 08:56:47 +02:00
proc_creation_win_susp_pcwutl.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_pester.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_ping_hex_ip.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_plink_remote_forward.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_powershell_cmd_patterns.yml
fix: bugs in rules
2022-05-24 20:18:41 +02:00
proc_creation_win_susp_powershell_download_cradles.yml
fix: indentation
2022-03-24 11:34:00 +01:00
proc_creation_win_susp_powershell_download_iex.yml
fix: add tags
2022-04-05 13:09:43 +02:00
proc_creation_win_susp_powershell_empire_launch.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_susp_powershell_empire_uac_bypass.yml
chore: promote status of rules
2022-03-31 12:04:37 +02:00
proc_creation_win_susp_powershell_enc_cmd.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_susp_powershell_encode.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_susp_powershell_encoded_param.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_powershell_getprocess_lsass.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_susp_powershell_hidden_b64_cmd.yml
fix: remove penetration test as valid false positive reason
2022-03-16 14:33:18 +01:00
proc_creation_win_susp_powershell_iex_patterns.yml
fix: missing timestamp
2022-04-04 11:34:26 +02:00
proc_creation_win_susp_powershell_parent_combo.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_powershell_parent_process.yml
rule: suspicious parents, susp powershell parent rule
2022-03-21 12:57:59 +01:00
proc_creation_win_susp_powershell_sam_access.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_powershell_sub_processes.yml
fix: FP with whoami child
2022-04-26 17:28:17 +02:00
proc_creation_win_susp_powershell_webclient_casing.yml
fix: bugs in rules
2022-05-24 20:18:41 +02:00
proc_creation_win_susp_pressynkey_lolbin.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_print.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_susp_procdump_lsass.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_susp_procdump.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_progname.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_ps_appdata.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_ps_downloadfile.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_psexec_eula.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_psexex_paexec_escalate_system.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_psexex_paexec_flags.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_psloglist.yml
Small Update and New Rule
2022-06-16 23:37:50 +01:00
proc_creation_win_susp_psr_capture_screenshots.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_radmin.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_rar_flags.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_susp_rasdial_activity.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_susp_razorinstaller_explorer.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_rclone_execution.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_recon_activity.yml
Update modified
2022-06-09 13:27:07 +02:00
proc_creation_win_susp_recon_net_activity.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_recon.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_redir_local_admin_share.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_reg_bitlocker.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_reg_disable_sec_services.yml
Added 2 references.\nAdded modified date and author credits.\nAdded WindowsDefender Registry Key options
2022-05-05 17:05:33 +02:00
proc_creation_win_susp_reg_open_command.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_regedit_trustedinstaller.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_register_cimprovider.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_registration_via_cscript.yml
fix: more falsepositives harmonization
2022-03-16 14:57:06 +01:00
proc_creation_win_susp_regsvr32_anomalies.yml
fix: FPs
2022-06-20 12:52:23 +02:00
proc_creation_win_susp_regsvr32_explorer.yml
Update proc_creation_win_susp_regsvr32_explorer.yml
2022-05-06 19:43:43 +02:00
proc_creation_win_susp_regsvr32_flags_anomaly.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_regsvr32_http_pattern.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_regsvr32_image.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_regsvr32_no_dll.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_renamed_dctask64.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_renamed_debugview.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_renamed_paexec.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_rpcping.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_run_folder.yml
fix: missing selection in condition
2022-06-04 12:52:30 +02:00
proc_creation_win_susp_run_locations.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_rundll32_activity.yml
Updated "modified" field
2022-05-09 19:28:50 +01:00
proc_creation_win_susp_rundll32_by_ordinal.yml
Merge branch 'master' into pr/2785
2022-03-08 08:43:59 +01:00
proc_creation_win_susp_rundll32_inline_vbs.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_rundll32_js_runhtmlapplication.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_susp_rundll32_keymgr.yml
docs: false positive condition added
2022-04-21 09:13:06 +02:00
proc_creation_win_susp_rundll32_no_params.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_rundll32_script_run.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_rundll32_spawn_explorer.yml
Update proc_creation_win_susp_rundll32_spawn_explorer.yml
2022-05-25 17:30:58 -04:00
proc_creation_win_susp_rundll32_sys.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_rundll32_user32_dll.yml
Update proc_creation_win_susp_rundll32_user32_dll.yml
2022-06-04 13:29:37 +02:00
proc_creation_win_susp_runonce_execution.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_susp_runscripthelper.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_sc_query.yml
refactor condition
2022-06-03 15:35:24 +02:00
proc_creation_win_susp_schtask_creation_temp_folder.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_schtask_creation.yml
chore: harmonization of generic 'nt system' user checks
2022-05-27 15:16:31 +02:00
proc_creation_win_susp_schtasks_disable.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_schtasks_env_folder.yml
fix: FP with Suspicius Schtasks rule
2022-03-11 17:04:33 +01:00
proc_creation_win_susp_schtasks_folder_combos.yml
rule: suspicious schtasks rule
2022-04-15 18:22:28 +02:00
proc_creation_win_susp_schtasks_parent.yml
Add "\" to "Image|endswith" modifier
2022-06-02 13:39:07 +01:00
proc_creation_win_susp_schtasks_pattern.yml
Add "\" to "Image|endswith" modifier
2022-06-02 13:39:07 +01:00
proc_creation_win_susp_schtasks_user_temp.yml
Add "\" to "Image|endswith" modifier
2022-06-02 13:39:07 +01:00
proc_creation_win_susp_screenconnect_access.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_screensaver_reg.yml
Add "\" to "Image|endswith" modifier
2022-06-02 13:39:07 +01:00
proc_creation_win_susp_script_exec_from_env_folder.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_script_exec_from_temp.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_script_execution.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_service_dacl_modification.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_susp_service_dir.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_service_modification.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_service_path_modification.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_servu_process_pattern.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_susp_sharpview.yml
fix: remove penetration test as valid false positive reason
2022-03-16 14:33:18 +01:00
proc_creation_win_susp_shell_spawn_by_java_keytool.yml
Revert "rule: suspicious PowerShell sub processes"
2022-04-26 17:05:41 +02:00
proc_creation_win_susp_shell_spawn_by_java.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_shell_spawn_from_mssql.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_susp_shell_spawn_from_winrm.yml
Small Update and New Rule
2022-06-16 23:37:50 +01:00
proc_creation_win_susp_shimcache_flush.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_susp_shutdown.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_splwow64.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_spoolsv_child_processes.yml
Add "\" to "Image|endswith" modifier
2022-06-02 13:39:07 +01:00
proc_creation_win_susp_squirrel_lolbin.yml
chore: test rules: check for all modifier with single item
2022-05-11 11:06:09 +02:00
proc_creation_win_susp_svchost_no_cli.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_susp_svchost.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_sysprep_appdata.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_susp_system_user_anomaly.yml
fix: FP with SYSTEM user rule
2022-04-27 12:01:58 +02:00
proc_creation_win_susp_systeminfo.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_sysvol_access.yml
fix: more falsepositives harmonization
2022-03-16 14:57:06 +01:00
proc_creation_win_susp_takeown.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_target_location_shell32.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_taskkill.yml
Update proc_creation_win_susp_taskkill.yml
2022-05-18 17:28:26 +02:00
proc_creation_win_susp_tasklist_command.yml
refactor condition
2022-06-03 15:35:24 +02:00
proc_creation_win_susp_taskmgr_localsystem.yml
chore: harmonization of generic 'nt system' user checks
2022-05-27 15:16:31 +02:00
proc_creation_win_susp_taskmgr_parent.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_tracker_execution.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_susp_trolleyexpress_procdump.yml
Fix Requested Changes
2022-05-13 15:28:22 +01:00
proc_creation_win_susp_tscon_localsystem.yml
chore: harmonization of generic 'nt system' user checks
2022-05-27 15:16:31 +02:00
proc_creation_win_susp_tscon_rdp_redirect.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_uac_bypass_trustedpath.yml
chore: increase rule status
2022-03-07 17:10:59 +01:00
proc_creation_win_susp_use_of_csharp_console.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_use_of_sqlps_bin.yml
Fix detection
2022-02-25 15:39:26 +01:00
proc_creation_win_susp_use_of_sqltoolsps_bin.yml
Fix detection
2022-02-25 15:39:26 +01:00
proc_creation_win_susp_use_of_te_bin.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_use_of_vsjitdebugger_bin.yml
chore: test rules: capitalization on FP list entries
2022-05-09 16:07:44 +02:00
proc_creation_win_susp_userinit_child.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_vaultcmd.yml
Quick Fix
2022-05-13 11:52:31 +01:00
proc_creation_win_susp_vboxdrvinst.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_vbscript_unc2452.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_susp_volsnap_disable.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_web_request_cmd.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_webdav_client_execution.yml
Quick Fix
2022-05-13 11:52:31 +01:00
proc_creation_win_susp_where_execution.yml
Quick Fix
2022-05-13 11:52:31 +01:00
proc_creation_win_susp_whoami_anomaly.yml
Quick Fix
2022-05-13 11:52:31 +01:00
proc_creation_win_susp_whoami_as_param.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_whoami.yml
Quick Fix
2022-05-13 11:52:31 +01:00
proc_creation_win_susp_winrar_dmp.yml
Add missing "contains" modifier
2022-06-17 14:06:14 +01:00
proc_creation_win_susp_winrar_execution.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_winrm_awl_bypass.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_winrm_execution.yml
Quick Fix
2022-05-13 11:52:31 +01:00
proc_creation_win_susp_winzip.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_susp_wmi_execution.yml
Quick Fix
2022-05-13 11:52:31 +01:00
proc_creation_win_susp_wmic_eventconsumer_create.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_wmic_proc_create_rundll32.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_wmic_security_product_uninstall.yml
Rules Update
2022-06-03 20:29:59 +01:00
proc_creation_win_susp_workfolders.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_wuauclt_cmdline.yml
Quick Fix
2022-05-13 11:52:31 +01:00
proc_creation_win_susp_wuauclt.yml
Quick Fix
2022-05-13 11:52:31 +01:00
proc_creation_win_susp_zip_compress.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_zipexec.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_sysinternals_eula_accepted.yml
Update proc_creation_win_sysinternals_eula_accepted.yml
2022-06-16 14:49:17 +08:00
proc_creation_win_sysinternals_psservice.yml
Small Update and New Rule
2022-06-16 23:37:50 +01:00
proc_creation_win_sysmon_driver_unload.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_sysmon_uac_bypass_eventvwr.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_system_exe_anomaly.yml
Fix duplicate cast
2022-05-25 11:19:09 +02:00
proc_creation_win_tap_installer_execution.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_task_folder_evasion.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_termserv_proc_spawn.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_tool_nircmd_as_system.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_tool_nircmd.yml
Quick Fix
2022-05-13 11:52:31 +01:00
proc_creation_win_tool_nsudo_execution.yml
Update proc_creation_win_tool_nsudo_execution.yml
2022-06-07 17:00:35 +01:00
proc_creation_win_tool_psexec.yml
refactor condition
2022-06-03 15:35:24 +02:00
proc_creation_win_tool_runx_as_system.yml
Renamed LOLBIN rules + Other
2022-06-12 23:59:25 +01:00
proc_creation_win_tools_relay_attacks.yml
chore: increase rule status
2022-03-07 17:10:59 +01:00
proc_creation_win_tor_browser.yml
Rename win_pc_tor_browser.yml to proc_creation_win_tor_browser.yml
2022-02-20 17:59:53 +01:00
proc_creation_win_trust_discovery.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_uac_bypass_changepk_slui.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_uac_bypass_cleanmgr.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_uac_bypass_cmstp.yml
Renamed LOLBIN rules + Other
2022-06-12 23:59:25 +01:00
proc_creation_win_uac_bypass_computerdefaults.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_uac_bypass_consent_comctl32.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_uac_bypass_dismhost.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_uac_bypass_fodhelper.yml
Renamed LOLBIN rules + Other
2022-06-12 23:59:25 +01:00
proc_creation_win_uac_bypass_ieinstal.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_uac_bypass_msconfig_gui.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_uac_bypass_ntfs_reparse_point.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_uac_bypass_pkgmgr_dism.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_uac_bypass_winsat.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_uac_bypass_wmp.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_uac_bypass_wsreset_integrity_level.yml
Renamed LOLBIN rules + Other
2022-06-12 23:59:25 +01:00
proc_creation_win_uac_bypass_wsreset.yml
Renamed LOLBIN rules + Other
2022-06-12 23:59:25 +01:00
proc_creation_win_uninstall_crowdstrike_falcon.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_uninstall_sysmon.yml
refactor condition
2022-06-03 15:35:24 +02:00
proc_creation_win_using_sc_to_change_sevice_image_path_by_non_admin.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_using_sc_to_hide_sevices.yml
Quick Fix
2022-05-13 11:52:31 +01:00
proc_creation_win_using_settingsynchost_as_lolbin.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_verclsid_runs_com.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_vmtoolsd_susp_child_process.yml
Quick Fix
2022-05-13 11:52:31 +01:00
proc_creation_win_vul_java_remote_debugging.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_webshell_detection.yml
Quick Fix
2022-05-13 11:52:31 +01:00
proc_creation_win_webshell_hacking.yml
fix: single list element
2022-03-21 12:33:55 +01:00
proc_creation_win_webshell_recon_detection.yml
fix: single list element
2022-03-21 12:33:55 +01:00
proc_creation_win_webshell_spawn.yml
Update proc_creation_win_webshell_spawn.yml
2022-05-15 14:57:21 +10:00
proc_creation_win_whoami_as_priv_user.yml
Quick Fix
2022-05-13 11:52:31 +01:00
proc_creation_win_whoami_as_system.yml
Quick Fix
2022-05-13 11:52:31 +01:00
proc_creation_win_whoami_priv.yml
Quick Fix
2022-05-13 11:52:31 +01:00
proc_creation_win_win10_sched_task_0day.yml
Quick Fix
2022-05-13 11:52:31 +01:00
proc_creation_win_win_exchange_transportagent.yml
fix: legitimate --> Legitimate
2022-03-16 14:35:19 +01:00
proc_creation_win_winword_dll_load.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_wmi_backdoor_exchange_transport_agent.yml
fix: FPs noticed with EdgeTransport sub processes
2022-03-18 10:18:40 +01:00
proc_creation_win_wmi_persistence_script_event_consumer.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_wmi_spwns_powershell.yml
Update proc_creation_win_wmi_spwns_powershell.yml
2022-05-13 15:33:48 +01:00
proc_creation_win_wmic_reconnaissance.yml
Quick Fix
2022-05-13 11:52:31 +01:00
proc_creation_win_wmic_remote_command.yml
Quick Fix
2022-05-13 11:52:31 +01:00
proc_creation_win_wmic_remote_service.yml
Quick Fix
2022-05-13 11:52:31 +01:00
proc_creation_win_wmic_remove_application.yml
Quick Fix
2022-05-13 11:52:31 +01:00
proc_creation_win_wmiprvse_spawning_process.yml
chore: harmonization of generic 'nt system' user checks
2022-05-27 15:16:31 +02:00
proc_creation_win_workflow_compiler.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_write_protect_for_storage_disabled.yml
fix: none --> Unknown
2022-03-16 14:19:21 +01:00
proc_creation_win_wsreset_uac_bypass.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_xordump.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_xsl_script_processing.yml
chore: test rules: capitalization on FP list entries
2022-05-09 16:07:44 +02:00
process_creation_apt_gamaredon_ultravnc.yml
docs: changed UltraVNC flags rule < Gamaredon
2022-03-09 08:17:14 +01:00
process_creation_win_arbitrary_shell_execution_via_settingcontent.yml
refactor: proposed changes from issue #2917
2022-04-14 16:57:30 +02:00
process_creation_win_asr_bypass_via_appvlp_re.yml
refactor: proposed changes from issue #2917
2022-04-14 16:57:30 +02:00
process_creation_win_powershell_snapins_hafnium.yml
New/Update Rules
2022-06-06 21:16:52 +01:00